Malicious Software Installed on Infiltrated SharePoint Server Arrays
In a concerning turn of events, cybercriminals are leveraging a newly discovered vulnerability, CVE 2025-53770, to infiltrate systems, encrypt sensitive data, and execute ransomware attacks. Over 400 SharePoint systems have reportedly been compromised so far, according to Cybersecurity vendor Eye Security.
The attack chain appears to be sophisticated, with the threat actors bypassing identity controls and gaining privileged access in compromised systems. Microsoft has advised on-prem SharePoint customers to assume compromise, even if they have fully patched the two vulnerabilities associated with this attack, CVE-2025-53770 and CVE-2025-53771.
The chained exploitation of these two bugs has been dubbed 'ToolShell' by the cybersecurity community. On July 23, Microsoft revealed that a group called Storm-2603 is distributing Warlock ransomware on exploited SharePoint on-prem servers. Storm-2603 has been assessed with moderate confidence to be a China-based threat actor.
Several high-profile US government agencies are among the victims of the SharePoint campaign. The National Nuclear Security Administration, the Department of Education, the Department of Health and Human Services, and the Department of Homeland Security have all been affected. NextGov has reported that the Department of Homeland Security was also among the victims of the Chinese hackers.
Bloomberg and the Washington Post have reported on the compromises of on-prem SharePoint servers used by the National Nuclear Security Administration, the Department of Education, and the Department of Health and Human Services.
In addition to Storm-2603, two known Chinese nation-state groups, Linen Typhoon and Violet Typhoon, are also known to be exploiting the SharePoint vulnerabilities.
Kevin Robertson, CTO of Acumen Cyber, stated that once inside a victim's network, attackers often look to take advantage in multiple ways, including deploying ransomware. Microsoft has advised potentially affected organizations to expand their mitigation efforts to include protection against ransomware.
Multiple waves of attacks took place on and after July 21, following a public proof-of-concept CVE-2025-53770/CVE-2025-53771 exploit script was released on GitHub. Eye Security added that the attacks continued in four confirmed waves on July 17, 18, 19, and 21.
As of now, the search results do not provide any information about the name of the organization potentially targeted in the SharePoint attack by Chinese actors. It is crucial for all organizations using SharePoint to remain vigilant and take necessary precautions to protect their systems.
